Skip to content

orc2timeline extracts and analyzes artifacts contained in archives generated with DFIR-ORC.exe to create a timeline from them

License

Notifications You must be signed in to change notification settings

ANSSI-FR/orc2timeline

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

orc2timeline

orc2timeline stands for "ORC to timeline", ORC refers to DFIR-ORC which is a tool used to parse and collect critical artefacts of a Windows system during an incident response.

orc2timeline can take one or several ORC as input and generate one timeline per host.

Installation

git clone https://github.com/ANSSI-FR/orc2timeline.git
cd orc2timeline
pip install .

Examples

Let us consider the following file tree:

$ tree ~
~
└── Documents
    ├── ORC
    │   ├── DFIR-ORC_Server_ServerName.domain_Browsers.7z
    │   ├── DFIR-ORC_Server_ServerName.domain_Detail.7z
    │   ├── DFIR-ORC_Server_ServerName.domain_General.7z
    │   ├── DFIR-ORC_Server_ServerName.domain_Little.7z
    │   ├── DFIR-ORC_Server_ServerName.domain_Powershell.7z
    │   ├── DFIR-ORC_Server_ServerName.domain_SAM.7z
    │   └── DFIR-ORC_Workstation_MachineName.domain_Offline.7z
    └── output_directory

3 directories, 7 files

Process all the ORC contained in a directory (orc2timeline will infer hostname from file names and group files by host to process them):

$ orc2timeline --tmp-dir=/tmp/data process_dir -j 4  ~/Documents/ORC ~/Documents/output_directory

This command will create the following files:

~
└── Documents
    └── output_directory
        ├── MachineName.domain.csv.gz
        └── ServerName.domain.csv.gz

Documentation

A more detailed documentation is provided if needed :

About

orc2timeline extracts and analyzes artifacts contained in archives generated with DFIR-ORC.exe to create a timeline from them

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published